Network DDoS Incident Response Cheat Sheet

This cheat sheet offers tips for battling a network distributed denial-of-service (DDoS) attack on your infrastructure. To print, use the one-sheet PDF version; you can also edit the Word version for you own needs. If you are an incident handler looking to take on the management of a non-DDoS security incident, see the related incident questionnaire cheat sheet.

General Considerations

DDoS attacks often take the form of flooding the network with unwanted traffic; some attacks focus on overwhelming resources of a specific system.

It will be very difficult to defend against the attack without specialized equipment or your ISP’s help.

Often, too many people participate during incident response; limit the number of people on the team.

DDoS incidents may span days. Consider how your team will handle a prolonged attack. Humans get tired.

Understand your equipment’s capabilities in mitigating a DDoS attack. Many under-appreciate the capabilities of their devices, or overestimate their performance.

Prepare for a Future Incident

If you do not prepare for a DDoS incident in advance, you will waste precious time during the attack.

Contact your ISP to understand the paid and free DDoS mitigation it offers and what process you should follow.

Create a whitelist of the source IPs and protocols you must allow if prioritizing traffic during an attack. Include your big customers, critical partners, etc.

Confirm DNS time-to-live (TTL) settings for the systems that might be attacked. Lower the TTLs, if necessary, to facilitate DNS redirection if the original IPs get attacked.

Did you like this?

Sign up for my newsletter if you'd like to receive a note from me whenever I publish an article or embark on a project. This doesn't happen often, so I won't overwhelm you with updates.

About the Author

Lenny Zeltser is a seasoned business and technology leader with extensive information security experience. He presently oversees the financial success and expansion of infosec services and SaaS products at NCR. He also trains incident response and digital forensics professionals at SANS Institute. Lenny frequently speaks at industry events, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.